Over 400 online banking sites and cryptocurrencies exchanges have been attempted to steal account credentials from users in 16 countries by a banking software named ‘Godfather’.
When victims attempt to log in to the site, they are tricked into entering their credentials on a well-crafted web page, which is created by the malware.
Group-IB analysts believe that the new version of the banking trojan is the successor to the old one, which fell out of use due to its inability to use newer defenses.
Continue watching after the ad Visit Advertiser website.
Since March 2021, when ThreatFabric first discovered it, the code has undergone massive code upgrade and improvements.
A report published yesterday by Cyble highlighted a rise in the activity of Godfather, an app that mimics a popular music tool in Turkey, downloaded 10 million times.
Targeting banks in other countries.
The main distribution channels haven’t been found, so the initial infection method is largely unknown.
Most of the banking apps targeted by Godfather are in the US, Turkey, Turkey, Spain, Canada, France, Germany, and the UK.
There are more than 100 banking apps, as well as more than 100 cryptocurrencies exchange platforms and 94 Cryptocurrencies wallet apps.
The group-ib is known as the “godfather targeting overview”.
If the system language is set to Russian, it will stop the operation of the trojan.
This is a strong indication that the authors of the book are from Russia and reside in the Commonwealth of Independent States.
There is a book called The Godfather.
A standard security tool found on all Android devices is mimicked by Godfather once installed. A scanning action on the device is mimicked by the malware.
The goal is to get access to the service from a legitimate tool. Once the victim approves the request, the malware can give itself all the privileges it needs to do its job.
This includes access to text messages and notifications, screen recording, contacts, making calls, writing to external storage and reading the device status.
The accessibility service has been abused to prevent the user from removing the one-time passwords that are used to log in.
The C2 server will give matching injections to the installed apps if they are on the list.
The login pages for the legitimate applications are mimicked by the web fakes, and all data that is entered into the fakeHTML pages, such as usernames and passwords, is exfiltrated to the C&C server.
It doesn’t have to wait for the target app to open to take the victim to a phish page because the fake notifications from the apps installed on the victim’s device can be generated.
There are some examples of fake overlays targeting Turkish users.
The screen recording feature of the app can be used to capture the credentials entered by the victim in the fields.
The C2 commands it executes with administrator privileges on the device are also accepted.
StartUSSD will execute a USSD request.
Sending a text message from aninfecting device is not processed in later versions of the software.
StartApp is defined by the C2
Any app that is determined by the C2 has a clear app cache.
Send a text to all contacts. It is likely used for propagation. The latest version didn’t have it implemented.
Call forwarding to a number specified by the C2 should be enabled.
An arbitrary web page can be opened by openbrowser.
Startsocks5/stopsocks5 can be enabled or disabled a SOCKS5 proxy.
The killBot self-deletes.
Show push notifications that will open a fake page when clicked.
The trojan feature modules allow it to perform actions such as keylogging, launching a VNC server, recording the screen, locking the screen, blocking notifications, silent mode, and dimming the screen.
Connection to a person named Anubis.
The source code of Anubis was leaked in the middle of the year, so it’s possible that it’s a new project by the same authors or a new threat group.
The method of receiving the C2 address, processing, and implementation of C2 commands, the web fakes module, the proxy module, and the screen capture module are all similar.
The inclusion of Anubis’ file encryption, audio recording, and gps tracking modules is not included in the current version of the program.
Godfather is a feature-rich, dangerous trojan built on proven code from the Anubis malware, targeting an extensive list of apps and users from around the globe
If you want to protect yourself from this threat, you need to only download apps from the Play Store, keep your device up to date, and keep the number of installed apps at a minimum.
